Back
Office 365

Multi-Factor Authentication for Office 365

Paul Andrew is a technical product manager on the Office 365 team working on identity.

Today we’re adding Multi-Factor Authentication for Office 365 to Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online. This will allow organizations with these subscriptions to enable multi-factor authentication for their Office 365 users without requiring any additional purchase or subscription.

Multi-factor authentication increases the security of user logins for cloud services above and beyond just a password. With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

Multi-factor authentication has been available for Office 365 administrative roles since June 2013, and today we’re extending this capability to any Office 365 user. We’re also enhancing the capabilities that have been available since June. We’re adding App Passwords for users so they can authenticate from Office desktop applications as these are not yet updated to enable multi-factor authentication. And we’re enabling users who are authenticated from a federated on-premises directory to be enabled for multi-factor authentication.

This addition of multi-factor authentication is part of our ongoing effort to enhance security for Office 365, and we’re already working on Office desktop application improvements to Multi-Factor Authentication for Office 365, which we’ll introduce later in this post. Office 365 offers many robust built-in security features for all customers and also optional controls that enable subscribers to customize their security preferences. More information about security in Office 365 is available in the Office 365 Trust Center.

Let’s take a look at how Office 365 customers can take advantage of multi-factor authentication and configure it, including using App Passwords for Office desktop applications.

mfa_01

After entering your account password, you see a message like this while your phone is being called for acknowledgement.

Multi-Factor Authentication for Office 365

Office 365 administrators enroll users for multi-factor authentication through the Office 365 admin center.

mfa_02

On the users and groups page in the Office 365 admin center, you can enroll users for multi-factor authentication by clicking the Set Multi-factor authentication requirements: Set up link.

mfa_03

The multi-factor authentication page lists the users and allows you to enroll a user for multi-factor authentication.

After a user is enabled for multi-factor authentication, they will be required to configure their second factor of authentication at their next login. Each subsequent login is enforced and will require use of the password and phone acknowledgement.

mfa_04

After being enrolled for multi-factor authentication, the next time a user signs in, they see a message asking them to set up their second authentication factor.

Any of the following may be used for the second factor of authentication.

  1. Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  2. Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
  3. Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
  4. Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
  5. Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.

mfa_05

Once a user is signed in they can change their second factor of authentication.

The settings menu is the little cog at the top right of the portal screen. In the settings menu clicking the additional security verification link.

 

App Passwords in Multi-Factor Authentication for Office 365

Users who are enrolled for multi-factor authentication are required to configure App Passwords in order to use Office desktop applications, including Outlook, Lync, Word, Excel, PowerPoint, and SkyDrive Pro.

Once an information worker has logged in with multi-factor authentication, they will be able to create one or more App Passwords for use in Office client applications. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor.

App Passwords are not available for use with PowerShell access to Office 365, and they can be turned off entirely for the Office 365 tenant for customers who have special security policies.

mfa_06

After you’ve created an App Password for an Office desktop application, such as Outlook, it is indicated in a list in your account.

 

Road map for multi-factor authentication in Office desktop applications

Microsoft is continuing to invest in multi-factor authentication scenarios, including Office client integration and smart card certificates. Today’s release of multi-factor authentication does not include a second factor of authentication for Office desktop applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and SkyDrive Pro. As we noted in the App Password section above, however, users who have been enrolled for multi-factor authentication currently have an alternative: they can use App Passwords to log in to Office client applications with a higher level of security than a user-selected password.

Soon Office 365 customers will be able to use multi-factor authentication directly from Office 2013 client applications. We’re planning to add native multi-factor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and OneDrive for Business, with a release date planned for later in 2014. This update includes the current phone-based multi-factor authentication, and it adds capability to integrate other forms of authentication such as: third-party multi-factor authentication solutions and smart cards. Smart card support is planned to include the U.S. Department of Defense (DoD) Common Access Card (CAC) and the U.S. Federal Personal Identity Verification card (PIV), among others. We’ll give you more information about these and more updates closer to release.

For more information about Multi-Factor Authentication for Office 365 please read the TechNet article Multi-Factor Authentication for Office 365

– Paul Andrew @pndrw

 

Frequently asked questions

Q:  Which Office 365 plans include Multi-Factor Authentication?

A:  Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online.  MFA is not currently included in Office 365 Small Business and Office 365 Dedicated plans.

Q:  Is Multi-Factor Authentication available for government customer?

A:  Yes, customers with government specific G SKU plans will have Multi-Factor Authentication included.  Government customers using Office 365 Dedicated will not have Multi-Factor Authentication included.

Q:  Is Multi-Factor Authentication available when using smartphones?

A:  Multi-Factor Authentication can be used from smartphones using the browser on the phone to access Office 365.  Mail apps on smartphones can use App Password to authenticate if they have Multi-Factor Authentication enabled.  Neither Multi-Factor Authentication nor App Password sign-in are currently compatible with OWA for iPhone/iPad.

Join the conversation

18 comments
  1. Is there an API for using a custom second factor? Is that something that is planned?

      • Paul, just to clarify. Can customer have ADFS AND 2 factor auth enabled in Office 365?

        • Yes, you can have ADFS and the cloud based multi-factor authentication enabled at the same time with Office 365. One thing to avoid is setting up ADFS with a multi-factor authentication provider at the same time as enabling cloud based multi-factor authentication as this will result in users having to enter two second factor authentications.

          • Hi Paul,

            Maybe I’m missing something, but where do I find the article that incorporates MFA for O365 in ADDS?

            Thanks,
            Shawn

          • Hi shawn, I assume you mean ADFS rather than ADDS. Multi-Factor Authentication for Office 365 works just fine with federated users who are using ADFS. For additional functionality and use of MFA for on-premises logins, you can integrate the server that is available with Windows Azure Multi-Factor Authentication with ADFS. Here’s a good article on TechNet where you can start reading: http://technet.microsoft.com/en-us/library/dn280949.aspx

  2. How do I access the settings for App Passwords (when I want to generate additional passwords)?

    • After you are signed in to Office 365, click the cog and choose Office 365 Settings. On the Office 365 settings page choose additional security verification. Then select Update my phone numbers used for account security. You should then see a page with options for additional security verification, and app passwords settings.

  3. For Educational Institutions, we would want to have 2-factor to be optional per-user, and have it so the user could opt-in/opt-out. Will the current system allow the user to selectively opt-in, or can this only be flagged by the administrator?

    If only the administrator can flag this, can this be controlled by PowerShell, so that we could build an opt-in/opt-out page on our own systems that remotely triggers the setting for the user?

    • The administrator can enable each user individually in the Office 365 admin portal, or using PowerShell. Users do not have permission to enroll themselves. If you are running PowerShell using administrator credentials then you can enable, or disable a specific user. I would advise caution if delegating your administrator credentials to a web page or something else that your end users have access to.

      • Not entirely what I was asking. If it is enabled by the administrator for a user, is it then mandatory, or can the user elect to finish enabling it? i.e could I enable it for all users, and only those who really want to use it enable it?

        If not, could this be put in as a change design request? Being able to set between ‘required’ , ‘disabled’ , or ‘optional (user choice)’, would be helpful in large environments. With over 40,000 student accounts, we won’t know in advance who has or does not have a cell method for second factor, so blindly setting all to ‘required’ would be very bad, but if we could set all to user choice, we could probably get to 85% usage in just a few days.

  4. Paul, you’ve mentioned “federated on-premises directory”, but that’s not a complete answer. We’re using our on-premises Active Directory domain and Office 365 with DirSync due to the much decreased maintenace and setup efforts it takes. We’re very-very happy with it, so we definitely aren’t planning to switch to a federation scenario.

    So I’m all curious whether you’re planning to support that as well or not. Please, tell me that you are :)

    • Hi bviktor, you can use Multi-Factor Authentication for Office 365 without configuring ADFS. Your setup with DirSync is fine and you can enable Multi-Factor Authentication for those users now.

  5. Very nice to see this rolled out to all users. It’s going to be a deal breaker for us to roll out beyond Admins though, without OWA for iPhone and iPad support. Any idea on when we will see that?

    • Hi Paul – any ideas on when we’ll see OWA for iOS support?

      • @jacobp There isn’t any more information available other than what is in the FAQ on this page. The OWA for iPhone/iPad is not currently compatible with Multi-Factor Authentication. But thank you for the feedback.

        Regards,
        Paul

  6. Hi,
    Can this be enabled for Microsoft Live Id access only. We are considering enabling this method for third party collaboration?
    If this is enabled for all users, does it force them to use multi-factor authentication even if the user is on the corporate domain. Ideally we’d like it to activate for users when they are not on the corporate domain.
    Thanks
    Chris

    • Hi cpayne, for Live ID based external users the user would have to enable multi-factor authentication individual for themselves at https://account.live.com/proofs/Manage. You can recommend that to your external users but you cannot enforce it.

      Regards,
      Paul

Comments are closed.